Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Consolidate Logs Across Tenancies for SIEM Integration Using Cross-Tenancy Connector Hubs and OCI Stream

Introduction

Oracle Cloud Infrastructure (OCI) is an Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) trusted by large-scale enterprises. It offers a comprehensive array of managed services encompassing hosting, storage, networking, databases, and beyond.

Proactively presenting logs of security-related events for triage to the appropriate resources is crucial for detecting and preventing cybersecurity incidents. Many organizations use Security Information and Event Management (SIEM) platforms to correlate and analyze logs and alerts from relevant assets. Properly configuring the capture and retention of key logs for an appropriate duration, along with near-real-time monitoring and alerting, enables Security Operations teams to identify issues, focus on critical information based on system tuning, and take appropriate action.

A best practice pattern of ingesting OCI logs is by sending logs to the OCI stream, which is Apache kafka compatible facilitating the third party SIEM platform to consume the logs as a Kafka consumer - reducing delay, providing resiliency and retention in case there is a temporary issue consuming data at the SIEM side.

When managing multiple tenancies, rather than integrating each region of all the tenancies with the SIEM platform individually, you can consolidate logs from multiple source tenancies (SourceTenant(s)) within a particular region into a single tenancy (TargetTenant) OCI stream by creating cross-tenancy connector hubs. The SIEM platform can then ingest logs of all the tenancies in that region through the TargetTenant stream.

Note: The OCI Connector Hub service does not support cross-region connector hub as of now.

High level representation of the solution architecture is shown in the following image.

Endorse, Admit, and Define Statements

To access and share resources, the administrators of both tenancies (SourceTenant(s) and TargetTenant) need to create special cross-tenancy policy statements that explicitly state the resources that can be accessed and shared. These special statements use the verbs Endorse, Admit, and Define.

An overview of the special verbs used in cross-tenancy statements:

• Endorse: States the general set of abilities that a group/resource principal in your own tenancy can perform in other tenancies.

• Admit: States the kind of ability in your own tenancy that you want to grant a group/resource principal from the other tenancy.

• Define: Assigns an alias to a tenancy OCID for Endorse and Admit policy statements.

The Endorse and Admit statements work together. Without a corresponding statement that specifies access, a particular Endorse or Admit statement grants no access. Both tenancies must agree on access.

Note:

• You must define cross-tenancy statements in the root compartment of the tenancy, not in any child compartment.

• Write cross-tenancy policies before creating the connector. You must use the OCI Software Development Kit (SDK), CLI, or API to create a cross-tenancy connector. In this tutorial, the OCI Command Line Interface (CLI) is used to create cross-tenancy connector hubs.

Objectives

• Log consolidation across tenancies for SIEM integration using cross-tenancy connector hubs and OCI streams.

Prerequisites

• Users in OCI must have the required policies for OCI Streaming, OCI Connector Hub and OCI Logging services to manage resources. For more information about policy reference of all the services, see Policy Reference.

Task 1: Create a Stream in TargetTenant

OCI Streaming service is a real-time, serverless, Apache Kafka-compatible event streaming platform for developers and data scientists. It provides a fully managed, scalable, and durable solution for ingesting and consuming high-volume data streams in real-time such as logs. We can use OCI Streaming for any use case in which data is produced and processed continually and sequentially in a publish-subscribe messaging model.

1. Go to the OCI Console, navigate to Analytics & AI, Messaging and Streaming.

2. Click Create Stream to create stream.

3. Enter the following information and click Create.

   • Name: Enter the stream name. For this tutorial, we are using TargetTenant-Stream.
   • Stream Pool: Select existing stream pool or create a new one with public endpoint.
   • Retention (in hours): Enter the number of hours to retain messages in this stream.
   • Number of Partitions: Enter the number of partitions for the stream.
   • Total Write Rate and Total Read Rate: Enter based on the amount of data you need to process.

   You can start with default values for testing. For more information, see Partitioning a Stream.

Task 2: Write policies in SourceTenant(s)

Endorse any connector hub in the specified compartment of SourceTenant(s) to access any stream in the TargetTenant.

Command Format:

Define tenancy TargetTenant as <TargetTenant_OCID>

Endorse any-user to use stream-push in tenancy TargetTenant
    where all 
    { 
        request.principal.type='serviceconnector',
        request.principal.compartment.id= <connectorHub-Compartment_OCID> 
    }

Sample Command:

Define tenancy TargetTenant as ocid1.tenancy.oc1..aaaaaaaanneylhk3ibxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Endorse any-user to use stream-push in tenancy TargetTenant where all { request.principal.type='serviceconnector', request.principal.compartment.id = 'ocid1.compartment.oc1..aaaaaaaau7xlnyxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' }

Task 3: Write policies in TargetTenant

Admit connector hub of SourceTenant(s) to access stream in the TargetTenant.

Command Format:

Define tenancy SourceTenantA as <SourceTenant-A_OCID>

Admit any-user of tenancy SourceTenantA to use stream-push in tenancy
   Where all
   {
   
   request.principal.type='serviceconnector'
   
   }

Sample Command:

Define tenancy SourceTenantA as ocid1.tenancy.oc1..aaaaaaaakxcj24xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Admit any-user of tenancy SourceTenantA to use stream-push in tenancy Where all { request.principal.type = 'serviceconnector' }

Task 4: Create OCI Connector Hub using CLI in the SourceTenant(s)

After the required policies are created in the SourceTenant(s) and TargetTenant, create an OCI Connector Hub using CLI in the SourceTenant(s). The following example CLI command specifies OCI Logging as the source and OCI Streaming as the target for creating the cross-tenancy connector hub.

Cross-tenancy connector hub for pushing OCI Audit logs from SourceTenant(s) to TargetTenant stream.

Command Format:

oci sch service-connector create

--display-name <XTenancyConnectorHub-name>

--compartment-id <ConnectorHub-Compartment_OCID>

--source '{ "kind": "logging", "logSources":

[ { "compartmentId": "<SourceTenantA_OCID>",
"logGroupId": "_Audit_Include_Subcompartment" } ] }'

--target '{ "kind": "streaming", "streamId": "<TargetTenant-Stream_OCID>" }'

Sample Command:

oci sch service-connector create --display-name XTenancyConnectorHub --compartment-id ocid1.compartment.oc1..aaaaaaaau7xlnyxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --source '{ "kind": "logging", "logSources": [ { "compartmentId": "ocid1.tenancy.oc1..aaaaaaaakxcj24xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","logGroupId": "_Audit_Include_Subcompartment" } ] }' --target '{ "kind": "streaming", "streamId": "ocid1.stream.oc1.iad.amaaaaaas4n35vixxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" }'

Cross-tenancy connector hub for pushing service/custom logs from SourceTenant(S) to TargetTenant stream. Create a log group and enable the required logs before running the following command.

Command Format:

oci sch service-connector create

--display-name <XTenancyConnectorHub-Name>

--compartment-id <ConnectorHub_Compartment_OCID>

--source '{ "kind": "logging", "logSources":

[ { "compartmentId": "<SourceTenantA-LogGroup-Compartment_OCID>",
"logGroupId": "<SourceTenantA-LogGroup_OCID>" } ] }'

--target '{ "kind": "streaming", "streamId": "<TargetTenant-Stream_OCID>" }'

Note: Policy statements in Task 2 and Task 3 and CLI command in Task 4 are formatted for readability. Before using copies of these statements, remove new lines, tabs, and spaces.

Next Steps

This tutorial has demonstrated how to consolidate logs from multiple tenancies using the cross-tenancy connector hubs and OCI stream. Third-party SIEM platforms should be configured to consume these logs as Kafka consumers. It is essential to set up dashboards in SIEM platforms to capture critical metrics and configure alerts to trigger when predefined thresholds are exceeded. Additionally, defining specific queries is crucial for detecting malicious activities and identifying patterns within your OCI tenancies. These actions will enhance your security posture and enable proactive monitoring of your cloud environment.

Related Links

• Cross-Tenancy Connector Access

• Allow Cross-Tenancy Log Collection from OCI Logging Service

Acknowledgments

• Author - Chaitanya Chintala (Cloud Security Advisor)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Consolidate Logs Across Tenancies for SIEM Integration Using Cross-Tenancy Connector Hubs and OCI Stream

G12188-01

August 2024

Copyright ©2024,

Oracle and/or its affiliates.